June 12, 2019

posted on Wednesday, June 12, 2019 at 7:05 AM

Radiohead releases ‘OK Computer’ sessions that hacker tried
to ransom

By Lisa Vaas

Well, bless
your heart, the band Radiohead said after it was hacked and asked to pay a
ransom for 18 hours of unheard music – a request that it eschewed, instead
releasing the music on Bandcamp in order to aid Extinction Rebellion.

The extortionist
demanded $150,000 after stealing 18 hours of music last week, according to a
tweet from Radiohead guitarist Jonny Greenwood on Tuesday. It was stolen from
Radiohead frontman Thom Yorke’s archive from around the time of the release of
the 1997 album OK Computer.

Act fast: this
offer won’t last. Greenwood said it’s good only for the next 18 days.

So, for £18
you can find out if we should have paid that ransom.

Though the music
wasn’t intended for public consumption and is only “tangentially interesting,”
Greenwood said, some clips did reach the cassette in the OK Computer
reissue. Not only is it not particularly interesting, it’s also “very, very
long,” he said – “not a phone download.”

Would you trust a
website simply because the connection to it is secured using HTTPS backed by
the green padlock symbol?

Not if you’re
informed enough to understand what HTTPS
signifies (an encrypted, secure connection with a server) and doesn’t
signify (that the server is therefore legitimate).

This week the FBI
issued a warning that
too many web users view the padlock symbol and the ‘S’ on the end of HTTP as a
tacit guarantee that a site is trustworthy.

Given how easy it
is to get hold of a valid TLS certificate for nothing, as well as the
possibility that a legitimate site has been hijacked, this assumption has
become increasingly dangerous.

Unfortunately,
cybercriminals have spotted the confusion about HTTPS, which accounts for the
growing number of phishing attacks deploying it to catch people off guard. The
FBI alert confirms:

They [phishing
attackers] are more frequently incorporating website certificates – third-party
verification that a site is secure – when they send potential victims’ emails
that imitate trustworthy companies or email contacts.

How we got
here

Today, all
competently managed websites use HTTPS, a big change from even a handful of
years ago when its use was limited overwhelmingly to sites either allowing
password login or conducting transactions as required by the industry PCI-DSS
card standard.

Hackers stole photos of travelers and license plates from
subcontractor

By Lisa Vaas

Images of
travelers and license plates that a subcontractor copied from a database
maintained by the US Customs and Border Protection (CBP) to his own network
have been ripped off by hackers, the agency confirmed on Monday, adding yet
more reasons for critics to warn about the perils to privacy that come with the
government’s burgeoning use of facial recognition (FR) surveillance
technologies.

A CBP
spokesperson told news outlets that the agency learned on 21 May 2019 that the
subcontractor “transferred copies of license plate images and traveler images
collected by CBP to the subcontractor’s company network.”

That transfer was
done in “violation of CBP policies and without CBP’s authorization or
knowledge,” the spokesperson said.

First hop:
improperly copied to the contractor’s network. Second hop: hacked away by
malicious actor(s). The CBP spokesperson:

The
subcontractor’s network was subsequently compromised by a malicious
cyber-attack. No CBP systems were compromised.

All eyes turn
to Perceptics

If it’s got any
more details, the CBP isn’t giving them out. The agency hasn’t publicly named
the subcontractor, nor exactly how many photos were involved.

Looking at the
spec sheet, it’s not hard to understand why someone in search of an affordable
but well-specified home security camera would choose the wireless
IPM-721 series from US company Amcrest.

Launched around
2015, it offers 720p HD quality, two-way audio, the ability to pan and tilt,
night vision, rounded off with four hours of cloud storage for your video
footage at no extra cost.

This week, we
learned that the camera had another less welcome characteristic in the form of
six security flaws discovered back in 2017 by a researcher at security outfit
Synopsys.

The 721 family
has since been superseded by newer designs, which doesn’t, of course, mean that
the many thousands of people who bought the product will stop using it just
because a researcher has turned up security issues.

Those cameras are
out there, an unknown number of which are in a vulnerable state that an
attacker might identify using the Shodan search engine if they are configured
to be accessible via the internet. Ideally, these cameras need to be identified
and patched as soon as possible.

There are really
three issues in play here – the nature and severity of the flaws, how users
should go about updating the firmware to secure their cameras, and why it’s
taken until 2019 for owners to hear about them.

The flaws

According
to Threatpost, which spoke to the Synopsys researcher who uncovered the
flaws, there are six vulnerabilities, now identified as CVE-2017-8226,
CVE-2017-8227, CVE-2017-8228, CVE-2017-8229, CVE-2017-8230 and CVE-2017-13719.

We weren’t able
to track down an advisory from Amcrest, but Synopsys posted
outlines of each on Bugtraq.

As Apple
continues its privacy
march, the upcoming iOS 13 mobile update will be right there, and it’s
pulling tracking apps along.

Apple showed off
iOS 13 last week at its Worldwide Developers Conference (WWDC).

Beta testers at 9to5Machave discovered that the upcoming
release, now in preview, will tell you what
apps are tracking you in the background and will give you the option of
switching them off. Ditto for iPadOS.

The new feature
comes in the form of a map that displays how a given app – 9to5mac showed
screenshots of popup notifications about tracking apps from Tesla and the Apple
Store – has been tracking you in the background, as in, when you’re not
actually using the app.

The notifications
show a map of the specific location data a given app has tracked, displaying
the snail-slime trails that we all leave behind in our daily travels and which
so many apps are eager to sniff
at for marketing purposes.

Or for other
reasons, as well. Besides the map, the popups will also provide the app’s
rationale for needing access to a user’s background location.

ACS

Centrally located in Winter Haven, we serve residential and business clients in and around Polk County.

9 Camellia Drive
Winter Haven, FL 33880863-229-4244

Our Promise to You

Plain language, no tech-talk

We will never try to over-sell you a product you don't need.

Advanced Computer Services of Central Florida is your local, hometown computer service and repair company that can do more than just fix your PC. We offer highly skilled professionals who can be counted on to give you sound advice on upgrades, software and hardware, commercial & residential networks, hardwire or secure wireless.